The Berkeley Internet Name Domain (BIND) is an implementation of the DomainName System (DNS) protocols. BIND includes a DNS server (named); a resolverlibrary (routines for applications to use when interfacing with DNS); andtools for verifying that the DNS server is operating correctly.

A flaw was found in the way BIND handles dynamic update message packetscontaining the "ANY" record type. A remote attacker could use this flaw tosend a specially-crafted dynamic update packet that could cause named toexit with an assertion failure. (CVE-2009-0696)

Note: even if named is not configured for dynamic updates, receiving sucha specially-crafted dynamic update packet could still cause named to exitunexpectedly.

This update also fixes the following bug:

* when running on a system receiving a large number of (greater than 4,000)DNS requests per second, the named DNS nameserver became unresponsive, andthe named service had to be restarted in order for it to continue servingrequests. This was caused by a deadlock occurring between two threads thatled to the inability of named to continue to service requests. Thisdeadlock has been resolved with these updated packages so that named nolonger becomes unresponsive under heavy load. (BZ#512668)

All BIND users are advised to upgrade to these updated packages, whichcontain backported patches to resolve these issues. After installing theupdate, the BIND daemon (named) will be restarted automatically.

4. Solution:

Before applying this update, make sure that all previously-releasederrata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to usethe Red Hat Network to apply this update are available athttp://kbase.redhat.com/faq/docs/DOC-11259